Setting Up freeradius3

loyukfai · January 30, 2017, 2:49pm

Latest LEDE build, simply running radiusd -X brings this up...

root@OpenWrt:~# radiusd -X
Error loading shared library libfreeradius-server.so: No such file or directory (needed by /usr/sbin/radiusd)
Error loading shared library libfreeradius-radius.so: No such file or directory (needed by /usr/sbin/radiusd)
Error loading shared library libfreeradius-eap.so: No such file or directory (needed by /usr/sbin/radiusd)

Ideas?

loyukfai · January 30, 2017, 7:50pm

Answering myself...

It seems that radiusd is expecting the libs in /usr/lib, but they are in /usr/lib/freeradius3 and there are no symlinks. OTOH, the init.d has LD__LIBRARY__PATH configured so it might not be a problem unless one runs radiusd this way,

Also, opkg install freeradius3-mod-eap-ttls fails because of a duplicated inner-tunnel symlink in another package.

And running radclient results in segfault, radeapclient works though.

Besides, the users file is now /etc/freeradius3/mods-config/files/authorize

Moreover, there are a few more opkg packages now.

These are some of the issues one may encounter coming from a freeradius2 setup from OpenWrt.

Cheers.

loyukfai · April 3, 2017, 4:19pm

Just an update, the democerts expiry date is today... Guess LEDE needs to adjust this so people testing their setup wont' run into problems because of this?

Validity
    Not Before: Feb  2 14:24:56 2017 GMT
    Not After : Apr  3 14:24:56 2017 GMT

It's probably due to the defaults of the makefile has stipulated a valid day of 60 days.

Cheers.

braian87b · May 16, 2017, 5:30am

Do you get working properly? I have plans to play with freeradius too in a few days.

loyukfai · May 22, 2017, 2:54pm

Yes, by creating my own certs.

The issue is also fixed upstream, but am not sure if it's before or after the latest LEDE release.

Anyhow, since the latest official LEDE release was on 18/Apr, you shouldn't run into this issue if you try out now.

Cheers.

geertjan · December 31, 2017, 2:56pm

The file clash between PEAP and TTLS is still here in 17.01.4. As is the issue with the shared libs in different location. Out of interest:why was this done? Can't find motivation for it, and it's cumbersome.

Thinkcat · March 5, 2019, 1:02pm

Hello

Setting up freeradius3 into an Archer C7.

First thing to notice was the links in the library directory when doing radiusd -X test runs.

Second thing to notice is that there seems to be no package of type "freeradius3-full" to pull in all modules. So one needs to either install them all or add them one by one.

Failed to find "reject" as a module or policy.

-> install freeradius3-mod-always

Failed to find "suffix" as a module or policy.

-> install freeradius3-mod-realm

The greatest problem for me will be, I think, that the concepts are explained nowhere. I assume that one can build a quite wild combination of authenticating sources, whereas my simple intention is to just set up first a file-based username/password combinations for wireless, and then maybe later use an external storage for credentials.

Update 1:

/etc/freeradius3/policy.d/accounting[37]: Failed parsing expanded string:
/etc/freeradius3/policy.d/accounting[37]: %{md5:%{1},%{Acct-Session-ID}}
/etc/freeradius3/policy.d/accounting[37]: ^ Unknown module

-> install freeradius3-mod-expr

Update 2:

After you get the server to start with the default configuration, you have installed all the module packages except freeradius3-mod-ldap and freeradius3-mod-passwd.

Update 3:

In /etc/freeradius3/mods-config/files/authorize

I have the line

testing Cleartext-Password := "paaswoord"

Now I need to find the radtest binary to test basic password authentication.

Update 4:

Seems like radtest is missing from the freeradius3-utils package. But since it is just a front-end for radclient, I need to figure out the latter one's syntax. I do see the segfaults mentioned elsewhere, and need to find out a solution for those too.

Update 5:

Did /usr/lib# for A in freeradius3/* ; do ln -s $A ; done but not sure if it did any good. The segfault is still there in radclient.

Update 6:

Since the radclient that comes with OpenWRT just segfaults, one can use a nearby linux workstation to test basic authentication. For this one needs to add the workstation into /etc/freeradius3/clients.conf. As in here:

client workstation {
	ipaddr		= workstations_name
	secret		= myownsecret
}

Of course, in place of the workstation's name you write its IP address if it is not in your local DNS. Then you test it as in

radtest <account name> <password> <router ip> <nas port> <secret>

where the nas port is just any number, i.e.

radtest testing paaswoord 192.168.1.1 0 myownsecret.